Details

Description

The goal here is to provide network isolation between containers so that one container cannot saturate the entire network, affecting the performance of other containers.

There are many options here. With the current network monitoring code (MESOS-1228, already committed), one option is to add a "tc police action" on the 'veth' of each container to drop packets when the traffic exceeds a certain limit.

Other options include advanced shape control using tc classes (e.g., HTB, CBQ, etc.). We're gonna need to extend the current routing library to support that.

Benjamin Hindman
added a comment - 15/Jul/14 19:26 I haven't chatted with anyone (yet) about integrating this with the DockerContainerizer, but it's definitely possible and could be a nice win to get network isolation for Docker.

Timothy St. Clair
added a comment - 15/Jul/14 14:53 Benjamin Hindman & Jie Yu
Is there a map between the native work being done here, and possible iptables mods in Docker containers?
Arguably you can easily fudge iptables of a Docker container to get similar behavior, and I believe this is the roadmap for their QoS tiers in Kubernetes.